Creating passwords to online accounts, and prompts by which to remember them, has become part of everyday life. Yet each time we create a user account, we place our trust in the service provider and in the provider’s security protocols to protect these usernames, passwords and other personal data attached to the account.
On Oct. 3, Adobe announced that cyberattackers had accessed account information, including customer IDs and encrypted passwords, of 2.9 million users. Password-protected accounts are required for use of current versions of such popular Adobe software as Photoshop, Illustrator and Premiere. A few weeks later, the company raised its estimate of the number of affected users to 38 million. According to Adobe spokesperson Heather Edell, these were “users with valid email addresses who have created an Adobe ID — or who have logged in with an Adobe ID — within the past two years.”
Adding insult to injury, hackers last week circulated on several public forums a data set that they believe contains 10 GB of Adobe user account data. Adobe has not confirmed that this data set is its own. "Our investigation is ongoing," Edell said.
Each row contains a unique user ID, email address, encrypted password and password hint.
Al Jazeera America obtained a copy of this data set, which contains information from what appear to be nearly 150 million accounts, including more than 130 million encrypted passwords and more than 43 million password hints — questions or phrases designed to prompt the user to remember a forgotten password.
The Adobe data breach shows just how vulnerable consumers are when signing up for an online account. Once stolen, this kind of data is often sold to underground communities, where hackers analyze it, crack the passwords and can potentially use the information to commit identity fraud. The data also reveals just how careless many users are in choosing their account settings — which makes not just themselves, but also others in the database, vulnerable to identity fraud.
“It's really quite difficult for consumers to evaluate the security practices of the company that they do business with," said Paul Stephens, director of policy and advocacy at Privacy Rights Clearinghouse, which seeks to educate people about privacy issues. “Unfortunately, consumers are largely powerless when the data is in the hands of third parties beyond their control.”
Everyone knows that it’s imperative for users to be careful with their passwords and password hints. But not all consumers are.
While it still takes considerable technical knowledge to decrypt passwords, carelessly chosen hints often provide an easier way to crack an account. Once a hacker knows both the password and the associated hint, she or he can be very destructive.
There are many hints that can easily give away a password. For example, Al Jazeera found that many password hints appear to be identical to the password itself — a person using “password123” as a hint might have set the password itself to be “password123.”
Password hints in the leaked data set included “bank account password” or “my social security number,” which would allow the hacker to access much more than the victim’s Adobe account.
“It contains accounts that have gone back a while. So people might not even remember that five, six years ago they created an Adobe account,” said Jeremi Gosney, founder and password expert at Stricture Consulting Group.
Other passwords in the data set suggested that the password was information easily found across multiple social media channels, such as the name of the user’s mother, father or pet.
Al Jazeera ranked some of the most popular password hints here:
If passwords from this data set are exposed, again, more than just Adobe accounts are at stake. A user could be employing the same password across different accounts, including online bank accounts. If you set your Social Security number as your password, a hacker could use it to apply for a loan or credit card. In essence, all this information makes consumers vulnerable to identity fraud.
Since the data was published, password researchers and security enthusiasts have been trying to determine Adobe’s method of encrypting user passwords.
Gosney obtained a copy of the data set early last week. Along with two other password researchers, he was able to determine the way Adobe encrypted its passwords in the leaked data set. He has not been able to reverse-engineer all the original passwords yet, but based on the password hints and other analysis, he was able to crack passwords for a sizeable chunk of the user database.
Adobe used a method in which each password was encrypted with the same encryption key. As a result, 1.9 million people who used the same password would have the same encrypted password. This differs from other methods of password storage in which identical passwords would have different encrypted passwords.
While the public data set did not come with the Adobe encryption keys that can transform all encrypted passwords back into their original forms, it is very possible that the attackers who stole the data could also have taken the keys when they accessed the company’s system.
“They had access to these systems for quite a while,” Gosney said. “So it’s not unreasonable to say that they also stole encryption keys for these passwords. Almost guaranteed that they stole the encryption keys as well.”
In this data set, Adobe used a password encryption method that obscures all passwords using the same encryption keys. This means that if one user has the same password as another, their encrypted passwords will be identical. Here are the most common passwords found in the Adobe data set.
Numeros de 1 a 6
numeri da1 a 6
Congratulations! You just cracked more than 1.9 million passwords.
zahl von 1 bis 9
Congratulations! You just cracked more than 446,000 passwords.
what are u looking for
what it is
Congratulations! You just cracked more than 345,000 passwords.
Adobe has been using a different, and more secure, method for encrypting passwords for the past year, according to Edell. That method is SHA-256, a national standard for hashing.
Users can make it harder for hackers to get their information by using passwords that are less traceable. Fraud experts, such as private investigator Jimmie Mesis, suggest using information like one's favorite food — which is harder to guess than the name of a parent — as part of a password. He also recommends using different passwords for different accounts. But ultimately he believes that data breaches are inevitable now.
"You're becoming accustomed to the new norm. And the new norm is that all data is subject to be hacked," said Mesis. "Expect that you'll be compromised."
Additional reporting contributed by Lam Thuy Vo.
Note: For privacy purposes, example data in this article was randomly generated but accurately represents the look and feel of the original data set.